Method and apparatus for providing conditional access based on channel characteristics

ABSTRACT

A first network device may discover one or more values of one or more parameters corresponding to a plurality of links and/or devices of the network. The first network device may compare the discovered one or more values of the one or more parameters to an expected one or more values of the one or more parameters. The first network device may determine whether to transmit data onto a network path between the first device and one of the plurality of devices based on a result of the comparison, wherein at least one of the plurality of links and/or devices are not part of the network path. The first network device may be operable to utilize the discovered parameter values to generate a security key which may be utilized to encrypt and/or scramble content prior to transmitting the content onto the network.

CLAIM OF PRIORITY

This application is a divisonal of U.S. patent application Ser. No.13/328,721 filed on Dec. 16, 2011 and now patented as U.S. Pat. No.8,897,157 which is herein incorporated by reference in its entirety.

INCORPORATION BY REFERENCE

This patent application also makes reference to:

U.S. patent application Ser. No. 13/326,125 entitled “System and Methodin a Broadband Receiver for Efficiently Receiving and ProcessingSignals” and filed on Dec. 14, 2011.

U.S. patent application Ser. No. 13/316,796 entitled “System and Methodfor Conditional Access in an In-Home Network Based on Multi-NetworkCommunication” and filed on Dec. 12, 2011.

Each of the above-referenced applications is hereby incorporated hereinby reference in its entirety.

FIELD OF THE INVENTION

Certain embodiments of the invention relate to networking. Morespecifically, certain embodiments of the invention relate to a methodand apparatus for providing conditional access based on channelcharacteristics.

BACKGROUND OF THE INVENTION

Conventional methods of network security and content protection areoften ineffective. Further limitations and disadvantages of conventionaland traditional approaches will become apparent to one of skill in theart, through comparison of such systems with some aspects of the presentinvention as set forth in the remainder of the present application withreference to the drawings.

BRIEF SUMMARY OF THE INVENTION

A method and/or apparatus is provided for providing conditional accessbased on channel characteristics, substantially as illustrated by and/ordescribed in connection with at least one of the figures, as set forthmore completely in the claims.

These and other advantages, aspects and novel features of the presentinvention, as well as details of an illustrated embodiment thereof, willbe more fully understood from the following description and drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A depicts an exemplary network in which content is protectedutilizing a network fingerprint.

FIG. 1B depicts an exemplary network in which content is protectedutilizing a network fingerprint.

FIG. 2 depicts an exemplary network device for use in a network that issecured utilizing a network fingerprint.

FIGS. 3A, 3B, and 3C depict exemplary network fingerprints.

FIG. 4 is a flowchart illustrating exemplary steps for protectingcontent utilizing a network fingerprint.

FIG. 5 is a flowchart illustrating exemplary steps for protectingcontent utilizing a network fingerprint.

FIG. 6 is a flowchart illustrating content protection utilizing asecurity key generated based on a network footprint.

FIG. 7 is a flowchart illustrating exemplary steps for controllingaccess to a network based on a network fingerprint.

DETAILED DESCRIPTION OF THE INVENTION

As utilized herein the terms “circuits” and “circuitry” refer tophysical electronic components (i.e. hardware) and any software and/orfirmware (“code”) which may configure the hardware, be executed by thehardware, and or otherwise be associated with the hardware. As utilizedherein, “and/or” means any one or more of the items in the list joinedby “and/or”. As an example, “x and/or y” means any element of thethree-element set {(x), (y), (x, y)}. As another example, “x, y, and/orz” means any element of the seven-element set {(x), (y), (z), (x, y),(x, z), (y, z), (x, y, z)}. As utilized herein, the terms “block” and“module” refer to functions than can be implemented in hardware,software, firmware, or any combination of one or more thereof. Asutilized herein, the term “exemplary” means serving as a non-limitingexample, instance, or illustration. As utilized herein, the terms “e.g.”and “for example” introduce a list of one or more non-limiting examples,instances, or illustrations.

FIG. 1A depicts an exemplary network in which content is protectedutilizing a network fingerprint. Shown in FIG. 1A is a local areanetwork (LAN) 100 connected to a cable headend 114. The exemplary LAN100 comprises a gateway 102 and network devices 104 a-104 c coupled vialinks 106 a-106 d and splitters 108 a-108 b. The LAN 100 also comprisesdevices 110 a-110 b coupled to network devices 104 a and 104 c via links112 a and 112 b, respectively.

Each of the links 106 a-106 f may comprise wired cabling, opticalcabling, and/or wireless links. In an exemplary embodiment, each of thelinks 106 a-106 f may comprise coaxial cabling. The splitter 108 a maybe operable to electrically couple links 106 a, 106 b, 106 c, and 106 fsuch that the signal on each of these four links is substantially thesame. The splitter 108 b may be operable to electrically couple links106 c, 106 d, and 106 e such that the signal on each of these threelinks is substantially the same.

The device 102 may comprise circuitry operable to communicate over thelinks 106 a-106 f. The circuitry of the device 102 may also be operableto communicate with cable headend 114. The device 102 may be, forexample, a set-top box or gateway operable to receive media and datafrom the cable headend 114 via the links 106 f and 106 b, process thereceived media and data, and convey the processed media and data to thedevices 104 a-104 c via the links 106 a-106 e. In an exemplaryembodiment, the device 102 may communicate the processed media and/ordata over the links 106 b-106 e in accordance with multimedia overcoaxial alliance (MoCA) standards. In such an embodiment, the device 102may function as the network coordinator of the MoCA network.

The circuitry of the device 102 may also be operable to discover one ormore values of one or more parameters. For example, the circuitry of thedevice 102 may be operable to measure phase, frequency, and/or timingcharacteristics of one or more of the links 106 a-106 f and/or thedevices 102, 104 a, 104 b, and 104 c. Additionally or alternatively, thecircuitry of the device 102 may be operable to discover parameter valuesby requesting such values from other devices. Such discovery ofparameter values may be performed by a hardware security processor ofthe device 102.

Each of the devices 104 a-104 c may comprise circuitry operable tocommunicate over the links 106 a-106 e. The device 104 c may be, forexample, a wireless access point operable to convert between the networkprotocols (e.g., MoCA or DOCSIS) utilized on the links 106 b-106 e andthe network protocols (e.g., IEEE 802.11) utilized on the link 112 b.The device 104 a may be, for example, a network adaptor operable toconvert between the network protocols (e.g., MoCA or DOCSIS) utilized onthe links 106 b-106 e and the network protocols (e.g., HDMI or USB)utilized on the link 112 a.

The circuitry of each of the devices 104 a, 104 b, and 104 c may also beoperable to discover one or more values of one or more parameters. Forexample, the circuitry of the devices 104 a, 104 b, and 104 c may beoperable to measure phase, frequency response, and/or timingcharacteristics of one or more of the links 106 a-106 f and/or thedevices 102, 104 a, 104 b, and 104 c. Additionally or alternatively, thecircuitry of the device 102 may be operable to discover parameter valuesby requesting such values from other devices. Such discovery ofparameter values may be performed by a hardware security processor ofthe devices 104 a, 104 b, and 104 c.

The devices 110 a and 110 b may comprise circuitry operable to receivemedia and/or data via the links 112 a and 112 b, respectively. Each ofthe devices 110 a and 110 b may be, for example, an end-point such as atelevision or personal computer.

In operation, the devices 102 and 104 a-104 c may exchange signals(e.g., probe signals and/or responses to probe signals) to discover anetwork “fingerprint.” The network fingerprint may comprise acombination of one or more network parameters and values of thoseparameters that is unique to a desired probability. The number ofparameters and corresponding parameter values utilized to generate thefingerprint may depend on the desired probability that the fingerprintbe unique. Similarly, the accuracy with which the parameter values aremeasured may be determined based on the desired probability ofuniqueness.

Exemplary parameters for which values may be discovered comprise:physical length of one or more of the links 106 a-106 f; phase shiftintroduced by one or more of the links 106 a-106 f; propagation delay ofone or more of the links 106 a-106 f; a modulation profile, or portionthereof, utilized by one or more of the device 102, the devices 104 a-c,and the headend 114; transmit power utilized by one or more of thedevice 102, the devices 104 a-c, and the headend 114; resistance,capacitance and/or inductance of one or more of the links 106 a-106 f;an amount of time required to receive a response to a particular requestfrom a particular device; reflectivity measured on one or more of thelinks 106 a-106 f; unique identifiers of one or more of the devices 102,104 a, 104 b, and 104 c; frequency response of one or more of the links106 a-106 f; frequency of signals transmitted by one or more of thedevices 102, 104 a, 104 b, and 104 c transmit onto the links 106 a-106f; phase of signals transmitted by one or more of the devices 102, 104a, 104 b, and 104 c transmit onto the links 106 a-106 f; how manydevices 102 and 104 a-104 c and/or splitters 108 a-108 c are present inthe network 100; phase offset between clocks in two or more the devices102, 104 a, 104 b, and 104 c; a frequency offset between clocks in thedevices 102, 104 a, 104 b, and 104 c; and a time offset between clocksin two or more of the devices 102, 104 a, 104 b, and 104 c.

In an exemplary embodiment, while determining the network fingerprint,one or more of the devices 102, 104 a, 104 b, and 104 c may discover oneor more of the parameter values and securely communicate the results to,for example, the network coordinator 102 and/or the headend 114. In thismanner, the device 102 and/or the headend 114 may then generate thefingerprint utilizing the received parameter values. In an embodiment,each of the devices 104 a, 104 b, and 104 c may know only a portion ofthe parameter values utilized to generate the network fingerprint suchthat the device 102 and/or the headend 114 are the only devices thatknow the fingerprint. It is also possible for a device pair such as 104a and 104 c to discover unique parameters without the networkcoordinator 102 or headend 114 being involved in the discovery.

In an exemplary embodiment, the fingerprint may be utilized forprotecting the distribution of content to and/or within the network 100.Exemplary steps for such use of the network fingerprint are describedbelow with respect to FIGS. 4-6.

FIG. 1B depicts an exemplary network in which content is protectedutilizing a network fingerprint. Shown in FIG. 1B is a local areanetwork (LAN) 150 connected to a satellite dish 170 and a wide areanetwork (WAN) 166. The exemplary LAN 150 comprises a gateway 152 andnetwork devices 104 a-104 c coupled via links 106 a-106 e and splitters108 a-108 b. The LAN 150 also comprises devices 110 a-110 b coupled tonetwork devices 104 a and 104 c via links 112 a and 112 b, respectively.The LAN 150 is coupled to the WAN 166 via a link 164 and to thesatellite dish 170 via the link 106 f.

Each of the devices 104 a and 104 c, the links 106 a-106 f, thesplitters 108 a and 108 b, and the devices 110 a and 110 b may be asdescribed above with reference to FIG. 1A.

The WAN 166 may be, for example, a digital subscriber line (DSL) networkany other suitable wide area network.

The device 152 may comprise circuitry operable to communicate over thelinks 106 a-106 f in accordance with a local area networking standard(e.g., MoCA). The circuitry of the device 152 may also be operable toreceive and process signals from the satellite 170. The device 152 maybe, for example, a set-top box or gateway operable to receive media fromthe satellite dish 170 via the links 106 f and 106 b, process thereceived media, and convey the processed media to the devices 104 a-104c via the links 106 a-106 e. Additionally, the device 152 may beoperable to receive data via the link 164, process the received data,and convey the processed data to the devices 104 a-104 c via the links106 a-106 e.

In an exemplary embodiment, the device 152 may communicate the processedmedia and/or data over the links 106 a-106 e in accordance withmultimedia over coaxial alliance (MoCA) standards. In such anembodiment, the device 152 may function as the network coordinator ofthe MoCA network.

The circuitry of the device 152 may also be operable to discover one ormore values of one or more parameters. For example, the circuitry of thedevice 152 may be operable to measure phase, frequency, and/or timingcharacteristics of one or more of the links 106 a-106 f and/or thedevices 152, 104 a, 104 b, and 104 c. Additionally or alternatively, thecircuitry of the device 152 may be operable to discover parameter valuesby requesting such values from other devices. Such discovery ofparameter values may be performed by a hardware security processor ofthe device 512.

The satellite dish 170 may comprise circuitry operable to receivesatellite signals and output the received signals onto the communicationlink 106 f. The satellite dish 170 may, for example, comprise anInternet Protocol low noise block-downconverter (IPLNB) 168. The IPLNB168 may be as described in above-incorporated U.S. patent applicationNo. 13/326,125.

In operation, the devices 152, 104 a, 104 b, 104 c, and 168 may exchangesignals to discover a network fingerprint similar to the mannerdescribed above with respect to FIG. 1A. In an exemplary embodiment,while determining the network fingerprint, one or more of the devices152, 104 a, 104 b, 104 c, and 168 may discover one or more of theparameter values and securely communicate the results to, for example,the network coordinator 152 and/or the IPLNB 168. In this manner, thedevice 152 and/or the IPLNB 168 may then generate the fingerprintutilizing the received parameter values. In an embodiment, each of thedevices 152, 104 a, 104 b, 104 c may know only a portion of theparameter values utilized to generate the network fingerprint such thatthe IPLNB 168 is the only device that knows the fingerprint.

In an exemplary embodiment, the generated fingerprint may be securelycommunicated to a service provider via the link 164 and the WAN 166. Inan exemplary embodiment, the fingerprint may be utilized for protectingthe distribution of content to and/or within the network 150. Exemplarysteps for such use of the network fingerprint are described below withrespect to FIGS. 4-6.

FIG. 2 depicts an exemplary network device for use in a network that issecured utilizing a network fingerprint. The exemplary device 200comprises a plurality of modules including an analog front end (AFE)212, a digital signal processor (DSP) 202, a central processing unit(CPU) 204, a memory 206, and a conditional access (CA)/digital rightsmanagement (DRM) module 210. The device 200 may represent any of thedevices 102, 104 a, 104 b, 104 c, 152, 104 a, 104 b, and 104 c.

The AFE 212 may be operable to transmit and/or receive informationutilizing any suitable communication protocol(s). In an exemplaryembodiment of the invention, the AFE 212 may be operable to performanalog-domain processing operations that enable transmission and/orreception of signals in accordance with one or more communicationprotocols. In instances of the device 200 corresponding to devices 102,104 a, 104 b, 104 c, 152, 104 a, 104 b, and 104 c, the AFE 212 may beoperable to transmit and/or receive signals in accordance with, forexample, cable television, satellite television, DOCSIS, and/or MoCAstandards via a link 106 or 106. In instances of the device 200corresponding to the device 152, the AFE 212 may be operable to transmitand/or receive signals in accordance with a WAN protocol (e.g., DSL) viaa link 164. In instances of the device 200 corresponding to the devices104 a and 104 b, the AFE 212 may be operable to transmit and/or receivesignals in accordance with a LAN protocol (e.g., Ethernet, Wi-Fi, USB,and/or HDMI) via the one or more links 112.

The CPU 204 may be operable to execute instructions (e.g., an operatingsystem) to control operations of the device 200. For example, the CPU204 may generate control signals for configuring a mode of operation ofthe device 200, and controlling operation of the other components of thedevice 200.

The memory 206 may comprise any suitable type of volatile and/ornon-volatile memory operable to store data and/or instructions. Forexample, the memory 206 may be utilized to store instructions executedby the CPU 204 and buffer data being transmitted and/or received via theAFE 212.

The DSP 202 may be operable to perform digital signal processingalgorithms and functions in accordance with one or more communicationstandards. For example, the DSP 202 may be operable to perform digitalfiltering, constellation mapping, constellation demapping, interleaving,deinterleaving, and error correction. In an exemplary embodiment of theinvention, the DSP 202 may be operable to perform digital-domainprocessing functions that enable transmission and/or reception of cabletelevision signals, satellite television signals, DOCSIS signals, MoCAsignals, and/or signals adhering to one or more other communicationprotocols.

The conditional access (CA)/digital rights management (DRM) module 210may comprise circuitry operable to descramble and/or decrypt signalsreceived via one or more of the links 106 a-106 f. In terms of“conditional access,” this may enable descrambling and/or decryptingcontent that is permitted by a service-level agreement between thecontent provider (e.g., satellite and/or cable television provider) andthe owner of the device 200. In terms of “digital rights management”this may enable the CA/DRM module 210 to decrypt and/or descramblecontent communicated to it by a device with which it has established asecure connection. In an exemplary embodiment, the CA/DRM module 210 maydecrypt and/or descramble utilizing a key generated based on a networkfingerprint. Additionally or alternatively, the circuitry of the CA/DRMmodule 210 may be operable to scramble and/or encrypt signals to betransmitted via one or more the links 106 a-106 f. In an exemplaryembodiment, content may be encrypted and/or scrambled utilizing a keygenerated based on a network fingerprint.

In an exemplary embodiment, the CA/DRM module 210 may be implemented ina hardware security processor. In an exemplary embodiment, the CA/DRMmodule 210 may be operable to discover the network fingerprint (e.g., byperforming parameter value measurements itself and/or receivingparameter value measurements from other components and/or devices), anddecide whether to decrypt, descramble, encrypt, and/or scramble based onthe network fingerprint (e.g., by comparing it to a previous orknown-good network fingerprint). Ways in which devices such as thedevice 200 may utilize a network fingerprint for securing content aredescribed below with respect to FIGS. 4-6.

FIGS. 3A, 3B, and 3C depict exemplary network fingerprints for thenetworks 100 and 150. In the exemplary fingerprint of FIG. 3A,parameters utilized for the fingerprint include unique identifiers ofthe network devices, phase difference between devices, frequencydifference between devices, and time for device 2 to respond to aparticular request from device 1. In the exemplary fingerprint of FIG.3B, parameters utilized for the fingerprint include unique identifiersof the network devices, clock offset between devices, and latencybetween devices (i.e. time for a particular packet to travel betweendevices). In the exemplary fingerprint of FIG. 3C, parameters utilizedfor the fingerprint include unique identifiers of the network devices, amodulation profile utilized for communications between the devices, anda transmit power utilized for communications between the devices. Themodulation profile may indicate, for example, a type and/or order ofmodulation utilized for each of a plurality of subcarriers.

FIG. 4 is a flowchart illustrating exemplary steps for protectingcontent utilizing a network fingerprint. In step 402, the devices 102,104 a, 104 b, and 104 c may be connected to the channel comprising thelinks 106 a-106 f and powered on. In step 404, signals may becommunicated among the devices 102, 104 a, 104 b, and 104 c to discoverthe network fingerprint. This may comprise sending signals to measurethe value of one or more link and/or device parameters, and storing themeasured parameter values in the device 102. After the networkfingerprint has been generated, in step 406, the devices may enter anormal mode of operation.

In step 408, the device 104 a may send a request for content to thedevice 102. In step 410, the device 102 may measure one or moreparameter values and/or request parameter values from one or more of thedevices 104 a, 104 b, and 104 c to discover the current networkfingerprint. The device 102 may then compare the current networkfingerprint to the fingerprint generated in step 404.

If the current fingerprint does not match the fingerprint generated instep 404, then in step 412, the request for content may be denied. Inthis manner, various characteristics of the network 100 may determinewhether the request for content from device 104 a is granted. If, forexample, the network fingerprint is one of the fingerprints shown inFIGS. 3A and 3B, then the determination of whether to grant the requestmay be based not only on parameter values corresponding to the networkpath between the source device 102 and the destination device 104 a(i.e., the network path consisting of devices 102 and 104 a, and links106 a and 106 b), but also on one or more parameter values correspondingto devices and/or links that are not part of the network path betweensource device and destination device (i.e., devices 104 b and 104 c, andlinks 106 c, 106 d, and 106 e).

For example, if an additional link and device were connected to a fourthport of splitter 108 b, parameters values of the network path betweendevice 102 and 104 a may be unaffected, but values of parameterscorresponding to other links and devices (e.g., the phase shift betweendevice 102 and 104 c) may have changed. If those changed parameters wereincluded in the network fingerprint, then the addition of the link anddevice has changed the network fingerprint. Consequently, depending onnetwork security policies, the request from 104 a may be denied as aresult of the inconsistency between the previously-determined networkfingerprint and the current network fingerprint.

Returning to step 410, if the current fingerprint does match thefingerprint generated in step 404, then, in step 414, request forcontent may be granted. In step 416, the device 102 may remove contentprotection from the requested content and send the content to the device104 a.

Although the steps of FIG. 4 are described with the device 102performing many of the steps, in other embodiments such steps could beperformed by, for example, the headend 114. Similarly, although thesteps of FIG. 4 are described with respect to network 100 of FIG. 1A,the steps could also be performed in the network 150 with, for example,the device 168 and/or 152 performing the steps described above as beingperformed by device 102.

FIG. 5 is a flowchart illustrating exemplary steps for protectingcontent utilizing a network fingerprint. In step 502, the devices 168,152, 104 a, 104 b, and 104 c may be connected to the channel comprisingthe links 106 a-106 f and powered on. In step 504, signals may becommunicated among the devices 168, 152, 104 a, 104 b, and 104 c todiscover the network fingerprint. This may comprise sending signals tomeasure the value of one or more link and/or device parameters, andstoring the measured parameter values in the IPLNB 168. After thenetwork fingerprint has been generated, in step 408, the devices 168,152, 104 a, 104 b, and 104 c may enter a normal mode of operation.

In step 508, the IPLNB 168 may periodically and/or occasionallyre-measure the parameter values utilized to generate the networkfingerprint in step 504. In step 510, it may be determined whether thecurrent parameter values are within a tolerance of the parameter valuesthat were measured in step 504. If the parameter values are within thepermitted tolerance of the values measured in step 504, then, in step514, the IPLNB 168 may continue (or begin, in the case of the first timethrough step 514) transmitting protected content onto the network pathbetween the IPLNB 168 and the gateway 152 (i.e., the network pathconsisting of IPLNB 168, link 106 f and device 152). The exemplary stepsmay then return to step 508.

Returning to step 510, if the parameter values are not within thepermitted tolerance, then in step 512 the IPLNB 168 may stoptransmitting protected content onto the network path between the IPLNB168 and the gateway 152. In some instances, the IPLNB 168 may alsonotify a network administrator and/or service provider of the problemwith the network fingerprint.

Although the steps of FIG. 5 are described with the IPLNB 168 performingmany of the steps, in other embodiments such steps could be performedby, for example, the headend 114, the device 102, and/or the device 152.

FIG. 6 is a flowchart illustrating content protection utilizing asecurity key generated based on a network footprint. In the network 100of FIG. 1A, various portions of the steps of FIG. 6 could be performedby any one or more of the device 102, the devices 104 a-c, and/or theheadend 114. Similarly, in the network 150 of FIG. 1B, various portionsof the steps of FIG. 6 could be performed by any one or more of thedevice 152, the devices 104 a-c, and/or the IPLNB 168. The exemplarysteps begin with step 604 in which network parameters to be utilized forsecuring content are selected. The parameters may, for example, beselected based on user input from a network administrator, capabilitiesof devices in the network, based on protocols in use in the network,based on a topology of the network, arbitrarily, and/or based on anyother suitable factor(s). In step 606 values of the parameters selectedin step 604 may be measured by, for example, the device 102. In step608, the device 102 may utilize the measured parameter values togenerate a security key. In step 610, the device 102 may utilize thesecurity key to encrypt data. In step 612, the device 102 may transmitthe encrypted data to, for example, the device 104 b. In step 614, thedevice 104 b may measure the same parameter values that the device 102measured in step 606. In step 616, the device 104 b may generate asecurity key from the measured parameter values in the same manner thatthe device 602 generated the security key in step 608. In step 618, thedevice 104 b may attempt to decrypt the received data utilizing the keygenerated in step 616. If the parameter values measured in step 614 havenot changed, or are within a permitted tolerance, of the parametervalues measured in step 606, then the data may be successfully decryptedutilizing the key generated in step 616. If the parameter valuesmeasured in step 614 have changed and are not within a permittedtolerance of the parameter values measured in step 606, then the device104 b may be unsuccessful in attempting to decrypt the data.

FIG. 7 is a flowchart illustrating exemplary steps for controllingaccess to a network based on a network fingerprint. In the network 100of FIG. 1A, various portions of the steps of FIG. 6 could be performedby any one or more of the device 102, the devices 104 a-c, and/or theheadend 114. Similarly, in the network 150 of FIG. 1B, various portionsof the steps of FIG. 7 could be performed by any one or more of thedevice 152, the devices 104 a-c, and/or the IPLNB 168. In step 704, thenetwork fingerprint of the network 100 may be determined for variousconfigurations of the network 100. Different configurations may, forexample, have different ones of the devices 104 a, 104 b, and 104 cpowered off and/or disconnected from the network. For example, a firstnetwork fingerprint may be determined for a configuration in which eachof devices 104 a, 104 b, and 104 c is connected to the network 100 andpowered on, and a second network fingerprint may be determined for aconfiguration in which the device 104 b is disconnected from the network100. The fingerprints discovered during this initialization phase may bestored (e.g., in a security processor of the device 102) as known-validfingerprints.

In step 706, the network 100 may begin operation in the secondconfiguration. In step 708, a device identifying itself as device 104 cmay be powered on and request admission to the network. In step 710, acurrent network fingerprint with the purported device 104 c powered onmay be discovered and compared to the known-valid fingerprintsdetermined in step 706. If the current network fingerprint matches,within a tolerance, one of the known-valid fingerprints (the secondknown-valid fingerprint in this instance), then in step 714 it may bedecided that the device is actually device 104 c and admission to thenetwork may be granted. If the current network fingerprint does notmatch, within a tolerance, one of the known-valid fingerprints (thesecond known-valid fingerprint in this instance), then in step 712 itmay be decided that the device purporting to be device 104 c is animposter and admission to the network may be denied.

Other embodiments of the invention may provide a non-transitory computerreadable medium and/or storage medium, and/or a non-transitory machinereadable medium and/or storage medium, having stored thereon, a machinecode and/or a computer program having at least one code sectionexecutable by a machine and/or a computer, thereby causing the machineand/or computer to perform the steps as described herein for providingconditional access based on channel characteristics.

Accordingly, the present invention may be realized in hardware,software, or a combination of hardware and software. The presentinvention may be realized in a centralized fashion in at least onecomputing system, or in a distributed fashion where different elementsare spread across several interconnected computing systems. Any kind ofcomputing system or other apparatus adapted for carrying out the methodsdescribed herein is suited. A typical combination of hardware andsoftware may be a general-purpose computing system with a program orother code that, when being loaded and executed, controls the computingsystem such that it carries out the methods described herein. Anothertypical implementation may comprise an application specific integratedcircuit or chip.

The present invention may also be embedded in a computer programproduct, which comprises all the features enabling the implementation ofthe methods described herein, and which when loaded in a computer systemis able to carry out these methods. Computer program in the presentcontext means any expression, in any language, code or notation, of aset of instructions intended to cause a system having an informationprocessing capability to perform a particular function either directlyor after either or both of the following: a) conversion to anotherlanguage, code or notation; b) reproduction in a different materialform.

While the present invention has been described with reference to certainembodiments, it will be understood by those skilled in the art thatvarious changes may be made and equivalents may be substituted withoutdeparting from the scope of the present invention. In addition, manymodifications may be made to adapt a particular situation or material tothe teachings of the present invention without departing from its scope.Therefore, it is intended that the present invention not be limited tothe particular embodiment disclosed, but that the present invention willinclude all embodiments falling within the scope of the appended claims.

What is claimed is:
 1. A system comprising: one or more circuits for usein a first network device of a network, said one or more circuits beingoperable to: discover one or more values of one or more parameterscorresponding to a plurality of links and/or a plurality of devices ofsaid network; generate one or more security keys utilizing saiddiscovered one or more values; encrypt data utilizing said one or moresecurity keys; and transmit said encrypted data onto a network pathbetween said first network device and one of said plurality of devices,wherein at least one of said plurality of links and/or plurality ofdevices are not part of said network path.
 2. The system of claim 1,wherein said one or more parameters comprise one or more of: a clockfrequency offset between two of said plurality of devices; a clock phaseoffset between two of said plurality of devices; and a clock time offsetbetween two of said plurality of devices.
 3. The system of claim 1,wherein said one or more parameters comprise a plurality of modulationprofiles utilized by one or more of said plurality of devices.
 4. Thesystem of claim 1, wherein said one or more parameters comprise anamount of time required for a particular packet to be communicated, viasaid network, from said first network device to a particular one of saidplurality of devices.
 5. The system of claim 1, wherein said one or moreparameters comprise an amount of time between said first network devicetransmitting a request and receiving a corresponding response from oneor more of said plurality of devices.
 6. The system of claim 1, whereinsaid one or more parameters comprise a length of one or more of saidplurality of links.
 7. The system of claim 1, wherein said one or moreparameters comprise a phase response of one or more of said plurality oflinks.
 8. The system of claim 1, wherein said one or more parameterscomprise a frequency response of one or more of said plurality of links.9. A system comprising: one or more circuits for use in a first networkdevice of a network, said one or more circuits being operable to:receive encrypted data; discover one or more values of one or moreparameters corresponding to a plurality of links and/or a plurality ofdevices of said network, wherein at least one of said plurality of linksand/or plurality of devices are not part of said network path; generateone or more security keys utilizing said discovered one or more values;and decrypt said received encrypted data utilizing said one or moresecurity keys.
 10. The system of claim 9, wherein said one or moreparameters comprise one or more of: a clock frequency offset between twoof said plurality of devices; a clock phase offset between two of saidplurality of devices; and a clock time offset between two of saidplurality of devices.
 11. The system of claim 9, wherein said one ormore parameters comprise a plurality of modulation profiles utilized byone or more of said plurality of devices.
 12. The system of claim 9,wherein said one or more parameters comprise an amount of time requiredfor a particular packet to be communicated, via said network, from saidfirst network device to a particular one of said plurality of devices.13. The system of claim 9, wherein said one or more parameters comprisean amount of time between said first network device transmitting arequest and receiving a corresponding response from one or more of saidplurality of devices.
 14. The system of claim 9, wherein said one ormore parameters comprise a length of one or more of said plurality oflinks.
 15. The system of claim 9, wherein said one or more parameterscomprise a phase response of one or more of said plurality of links. 16.The system of claim 9, wherein said one or more parameters comprise afrequency response of one or more of said plurality of links.